This post is also available in: Español

October 31, 2019 is the deadline for the United Kingdom (UK) to take the necessary steps to formalize its withdrawal from the European Union (UE). The UK will become a third country upon its exit and data transfers to the UK will be considered international transfers.

In a no-deal scenario (“hard Brexit”), personal data transfers to the UK would only be allowed on the basis of one of the instruments provided for in the General Data Protection Regulation (GDPR): standard data protection clauses adopted by the European Commission; binding corporate rules for groups of undertakings; or the application of one of the exceptions under article 49 GDPR (essentially, the consent of the data subject or the performance of a contract). In the event of a hard Brexit, companies whose only EU establishment is in the UK will no longer have an establishment in the EU for data protection purposes. In that case, companies that continue to process data from subjects residing in the EU would have to appoint a representative in the Union to deal with any queries from supervisory authorities and data subjects.

In view of the uncertainty about a hard Brexit, it seems useful to identify the processing activities that involve personal data transfers to the UK in order to determine the appropriate instruments to carry out international transfers and meet the requirements of the GDPR. Companies should also assess the need to appoint a representative in the EU.

By Sergi Gàlvez

This post is also available in: Español



42 artículos

Asociado del Área de Propiedad Intelectual y Protección de Datos. Especialista en protección de datos y tecnologías disruptivas. Participa en el asesoramiento recurrente en materia de protección de datos y contratación tecnológica de compañías nacionales e internacionales, especialmente en la configuración jurídica de evaluaciones de impacto, transferencias internacionales de datos personales, contratos de encargo de tratamiento y en el asesoramiento durante violaciones de seguridad. Además de prestar asesoramiento continuado a clientes en los ámbitos mencionados, tiene experiencia en asesorar a empresas de diferentes sectores en la configuración legal de proyectos que implementan tecnologías disruptivas, tales como el Big Data, Internet of Things, artificial intelligence y smart robots.